Personal data protection is a dream

By Tsai Chi-hsun 蔡季勳

After more than two years’ delay, the Personal Information Protection Act (個人資料保護法) finally came into effect on Oct. 1. However, many people, including officials from the Ministry of Justice, remain completely ignorant of the spirit of the law. The legislation aims to extend “personal rights” in our information society to respect the personal data autonomy of every person. Collecting, processing and using personal data should be done in accordance with the law and should, in principle, require the consent of the person concerned.

A look at the two-year process leading to the amendment of this piece of legislation shows that the media have expressed concern that it will jeopardize press freedom, causing the Legislative Yuan to make a U-turn to meet their demands.

When the law passed the third reading in the legislature in April 2010, the Taiwan Association for Human Rights issued a statement saying that by granting exceptions to the law — such as for academic research, crime prevention and public interest — the new version of the law departed from the spirit of personal data autonomy.

Observations from the Taiwan Association for Human Rights have proven the pessimistic predictions on Taiwan’s personal data protection, and, even more worrying, the government’s various decisions over this period seem intended to destroy the law.

Originally, the act was intended as a defensive weapon for the public against the powerful, but it has since lost its clout and has been interfered with by the government and some private institutions, such as the financial, medical and telecommunication sectors. For example, the Bureau of National Health Insurance ignored the most fundamental principle of the law and sold confidential health data.

Another example is how the government released telephone numbers and addresses of relatives of victims of the White Terror era, thus causing more pain to the families involved.

The government has also arbitrarily blocked the publication of historical data with the excuse that it is protecting third parties. This hinders transitional justice, even though the law does not apply to the deceased.

When people open bank accounts, they are required to provide personal information as if they are signing a contract to sell themselves. However, banks claim that such requirements are in accordance with the law.

In another case, one person who sought his personal data from the government was flatly rejected by the agency in question, which claimed that it was unable to provide the data because of the new law.

Furthermore, in some cases, prosecutors have even omitted important personal information, including the names of suspects, in their indictments, garnering much media attention by turning indictments into mysterious documents that nobody can understand.

During the legislative process, the government and public used “EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data” as a blueprint in the hope that they would be able to construct comprehensive protection for personal information in Taiwan.

Obviously, the government failed to gain a comprehensive understanding of the meaning of the directive. The uneven quality of the legislative process resulted in a cut-and-paste job as legislators came up with a disappointing law.